b'Audit\nReport\n         MANAGEMENT OF THE JOINT SIMULATION SYSTEM\n\n\n\nReport No. D-2002-005                        October 12, 2001\n\n\n\n\n             Office of the Inspector General\n                 Department of Defense\n\x0c  Additional Copies\n\n  To obtain additional copies of this audit report, visit the Inspector General, DoD,\n  Home Page at www.dodig.osd.mil/audit/reports or contact the Secondary Reports\n  Distribution Unit of the Audit Followup and Technical Support Directorate at\n  (703) 604-8937 (DSN 664-8937) or fax (703) 604-8932.\n\n  Suggestions for Future Audits\n\n  To suggest ideas for or to request future audits, contact the Audit Followup and\n  Technical Support Directorate at (703) 604-8940 (DSN 664-8940) or\n  fax (703) 604-8932. Ideas and requests can also be mailed to:\n\n                    OAIG-AUD (ATTN: AFTS Audit Suggestions)\n                     Inspector General, Department of Defense\n                        400 Army Navy Drive (Room 801)\n                            Arlington, VA 22202-4704\n\n  Defense Hotline\n\n  To report fraud, waste, or abuse, contact the Defense Hotline by calling\n  (800) 424-9098; by sending an electronic message to Hotline@dodig.osd.mil; or\n  by writing to the Defense Hotline, The Pentagon, Washington, DC 20301-1900.\n  The identity of each writer and caller is fully protected.\n\n\n\n\nAcronyms\nDAs                   Development Agents\nHLA                   High Level Architecture\nJSIMS                 Joint Simulation System\nPM                    Program Manager\nUSD (AT&L)            Under Secretary of Defense for Acquisition, Technology, and\n                         Logistics\n\x0c\x0c                        Office of the Inspector General, DoD\nReport No. D-2002-005                                                  October 12, 2001\n   (Project No. D2000AL-0284.01)\n\n                 Management of the Joint Simulation System\n\n                                   Executive Summary\n\nIntroduction. We performed this audit in response to a request from the Director, Joint\nStaff, to evaluate the management of the Joint Simulation System. The Joint Simulation\nSystem is a joint training, analysis, and evaluation software tool that will realistically\nrepresent the full range of military joint task force operations and provide a synthetic\nbattlefield. The Joint Simulation System was designated an Acquisition Category ID\nprogram on December 16, 1999, and is projected to expend nearly $1.55 billion.\n\nThis is the second audit report on the management of the Joint Simulation System. The\nfirst report addressed specific management concerns raised by the Director, Joint Staff.\nThis report addresses the broader topic of overall financial and program management of\nthe development and acquisition of the Joint Simulation System.\n\nObjectives. The audit objective was to evaluate the financial and program management\nof the Joint Simulation System. We also evaluated the management control program\nrelated to the objective. See Appendix A for a discussion of the audit scope and\nmethodology and the review of the management control program.\n\nResults. The Joint Simulation System Program Manager has made significant progress\ntoward complying with DoD security and acquisition policies. However, the Joint\nSimulation System may not receive security certification and accreditation in time for\nscheduled initial operating capability. Further, the Joint Simulation System acquisition\nprogram baselines are not complete or accurate and may not be attainable. As a result,\nthere were no assurances that the Joint Simulation System would provide the level of\ninformation technology security required by initial operating capability or that the\nMilestone Decision Authority would be able to make informed investment decisions\nconcerning the acquisition of the Joint Simulation System.\n\nSummary of Recommendations. We recommend that the Joint Simulation System\nProgram Manager develop an overall security policy in accordance with DS-2610-142-\n01, \xe2\x80\x9cDoD Intelligence Information System Security Certification and Accreditation\nGuide,\xe2\x80\x9d April 2001; complete the System Security Authorization Agreement; create a\nsecure trusted environment for the development of the Common Component Workstation;\nrequire that the Joint Simulation Development Agents provide complete earned value\nmanagement information; and construct complete life-cycle cost estimates that include\nunfunded requirements.\n\nManagement Comments. In general, the Joint Simulation System Program Manager\nconcurred with the report recommendations, found many of the draft audit report\ncomments to be accurate, and stated that the Joint Simulation System Program Office\nwill continue to pursue solutions to resolve the problems noted. Management did,\nhowever, disagree with specific aspects of the finding and proffered alternative criteria\nfor implementing one of the recommendations. Although management agreed that the\n\x0cEarned Value Management System has been problematic, they did not agree that there\nwas no assurance that the system will be delivered on time and within budget. The\nJoint Simulation System Program Manager indicated that other metrics were used in\naddition to the Earned Value Management System to determine whether costs and\nschedules were on track, including reviews of planned/delivered source lines of code\nand planned/delivered functionality for each integration event. The Joint Simulation\nSystem Program Manager also stated that there were no unfunded requirements\nassociated with the Joint Simulation System. Further, the Program Manager did not\nagree that the Joint Simulation System may not receive security accreditation in time for\ninitial operating capability. He stated that there was no obstacle to providing all\nsecurity documentation prior to system fielding and that there were no known security\nrequirements not currently funded.\n\nThe Program Manager stated that the Joint Simulation System security policy had been\npublished and that the system\xe2\x80\x99s security procedures manual and security standard\noperating procedures were being written. Those actions were initiated in accordance\nwith DS-2601-142-01, \xe2\x80\x9cDoD Intelligence Information System Security Certification and\nAccreditation Guide,\xe2\x80\x9d April 2001, rather than DoD Instruction 5200.40, \xe2\x80\x9cDoD\nInformation Technology Security Certification and Accreditation Process,\xe2\x80\x9d December\n30, 1997, recommended in the draft report. Funding has been requested to create a\nsecure trusted environment for the development of the Common Component\nWorkstation and corrective actions are ongoing to implement the recommendations\naddressing the Earned Value Management System and life-cycle cost estimates. A\ndiscussion of the management comments is in the Finding section of the report, and the\ncomplete text of the management comments is in the Management Comments section.\n\nAudit Response. Management actions with respect to the recommendations are\nresponsive. The report has been revised to incorporate provisions for use of\nDS-2601-142-01, \xe2\x80\x9cDoD Intelligence Information System Security Certification and\nAccreditation Guide,\xe2\x80\x9d April 2001, as a basis for developing security policy and\ndocumentation. Regarding the management comments on the report findings, we still\nmaintain that there is no assurance that the system will meet cost and schedule goals for\ninitial operating capability. Also, based on recent consultation with the Designated\nApproving Authority, we still contend that it will be difficult for the Joint Simulation\nSystem to obtain security certification and accreditation prior to initial operating\ncapability. Although Joint Simulation System security personnel have made great\nstrides in identifying and documenting those security requirements, significant work\nstill remains to satisfy those requirements.\n\n\n\n\n                                            ii\n\x0cTable of Contents\n\nExecutive Summary                               i\n\nIntroduction\n     Background                                 1\n     Objectives                                 3\n\nFinding\n     Program Performance, Cost, and Schedule   4\n\nAppendixes\n     A. Audit Process\n         Scope                                 13\n         Methodology                           13\n         Management Control Program Review     13\n         Prior Coverage                        14\n     B. Development Agents                     15\n     C. Acquisition Guidance                   18\n     D. Report Distribution                    20\n\nManagement Comments\n     Program Office, Joint Simulation System   23\n\x0cBackground\n           The Joint Simulation System (JSIMS), as of April 2001, in system development,\n           is a joint training, analysis, and evaluation software tool that will realistically\n           represent the full range of military joint task force operations and provide a\n           synthetic battlefield. The JSIMS mission needs statement states that:\n                        The mission of the JSIMS is to provide readily available,\n                        operationally valid, computer-simulated environments for use by the\n                        Unified Commands, their components, other joint organizations, and\n                        the Services to jointly educate, train, develop doctrine and tactics,\n                        formulate and assess operational plans, assess warfighting situations,\n                        define operational requirements, and provide operational input to the\n                        acquisition process.\n\n           JSIMS software will be compliant with the High Level Architecture1 (HLA) in\n           order to support interoperability with other DoD training and analysis\n           simulations. JSIMS software will interface with command, control,\n           communications, computers, and intelligence functions and equipment in the\n           field. It will provide flexible support for joint force training by using efficient,\n           composable simulations tailored to the users\xe2\x80\x99 needs. JSIMS will be composed\n           of specific land, maritime, air and space, and other functional domains that will\n           operate in a joint synthetic battlespace. It will create a coherent operational\n           environment between the levels of war, synchronized between types of events,\n           and realistic in the context of the specific joint training scenarios.\n\n           JSIMS software will provide the core infrastructure and life-cycle applications to\n           support the effective design, planning, preparation, execution, and post-\n           execution assessment for joint training exercises and other uses. JSIMS will\n           facilitate scenario design, development, and execution by providing tools that\n           systematically link scenario objectives, events, performance measures, and\n           feedback. The Common Component Workstation is a key component of JSIMS\n           because it comprises most of the user interfaces including scenario generation,\n           exercise control, unit control, and evaluation and reporting.\n\n           Management and Oversight. On December 16, 1999, the Under Secretary of\n           Defense for Acquisition, Technology, and Logistics (USD [AT&L]) restructured\n           JSIMS. The USD (AT&L) designated the Army as the Program Executive\n           Office for JSIMS, and the Commander, U.S. Army Simulation, Training, and\n           Instrumentation Command, as the Program Manager (PM). The JSIMS PM\n           reports directly to the USD (AT&L) with coordination through the Army\n           Acquisition Executive. The JSIMS PM also provides financial reporting to the\n\n\n\n\n1\n    HLA is a software architecture structure for major functional elements, interfaces, and design. It\n    pertains to all DoD simulation applications and provides a common framework for the interoperability\n    of simulations, within which specific system architectures can be defined.\n\n                                                      1\n\x0c           Joint Staff. The USD (AT&L) also designated JSIMS, including all of its\n           Service and agency components, as an Acquisition Category ID2 program and\n           further directed that JSIMS transition to the HLA. The Joint Staff Director for\n           Operational Plans and Interoperability is responsible for the fiscal oversight of\n           the JSIMS common components. The JSIMS PM executes those funds on\n           behalf of the Joint Staff.\n\n           JSIMS has nine Development Agents (DAs), each responsible for the\n           development of different aspects of JSIMS. The nine DAs represent each\n           Military Department, the Intelligence Community, and the Office of the\n           Secretary of Defense. The Service DAs are developing JSIMS components that\n           can independently meet the training needs of the respective Services. See\n           Appendix B for a complete list of the JSIMS DAs and a description of their\n           responsibilities.\n\n           The Assistant Secretary of Defense for Command, Control, Communications,\n           and Intelligence oversees and reviews JSIMS implementation of the Clinger-\n           Cohen Act and DoD Instruction 5200.40, \xe2\x80\x9cDoD Information Technology\n           Security Certification and Accreditation Process,\xe2\x80\x9d December 30, 1997.3\n\n           System Development. JSIMS was designated an Acquisition Category ID\n           program on December 16, 1999. Prior to that date, JSIMS was an Acquisition\n           Category II program, and it was not required to pass milestone reviews\n           conducted by the Defense Acquisition Board. On September 10, 1996, the USD\n           (AT&L) issued a policy memorandum designating HLA as the standard\n           technical architecture for all DoD simulations. The policy required any\n           simulation not compliant with HLA by October 1, 2000, to be retired, unless a\n           waiver was obtained from the Director, Defense Research and Engineering.\n           Although, the JSIMS core development contract was awarded in December\n           1996, the program did not move toward HLA compliance until USD (AT&L)\n           directed JSIMS management to do so in December 1999, almost 3 years after\n           JSIMS development began.\n\n           During our audit, we tried to determine how much money was spent on\n           development efforts that were undertaken after September 1996 and could not\n           transition to the new HLA architecture. Because of the lack of detailed financial\n           information, we could not calculate a complete total. However, we were able to\n           estimate that at least $18.4 million was unnecessarily spent on development\n\n\n2\n    An Acquisition Category ID program is designated by the Under Secretary of Defense for Acquisition,\n    Technology, and Logistics as a Major Defense Acquisition Program, and is estimated to require a total\n    expenditure for research, development, test and evaluation of more than $365 million or, for\n    procurement, of more than $2.19 billion in FY 2000 constant dollars.\n\n3\n    DoD Instruction 5200.40 defines the activities leading to security certification and accreditation. The\n    objective of the DoD Information Technology Security Certification and Accreditation Process is to\n    establish a DoD standard infrastructure-centric approach that protects and secures the entities\n    comprising the Defense Information Infrastructure. See Appendix C for more detail.\n\n\n                                                       2\n\x0c     efforts that could not be transitioned. As certain DAs could not provide any\n     cost data, the $18.4 million estimate may be significantly understated.\n\n     The initial deployment blocks of JSIMS software, Block I and Block II, currently\n     in the System Development and Demonstration Phase B of development, are\n     scheduled for a Milestone C, Production and Deployment, Defense Acquisition\n     Board review in September 2002. Partially because of the initial reluctance to\n     use the HLA, the initial operating capability for JSIMS, originally scheduled for\n     December 1999, has been delayed three times, and it is scheduled for March\n     2003.\n\n     Funding. JSIMS is projected to expend nearly $1.55 billion ($1.13 billion in\n     research, development, test, and evaluation funds; $0.18 billion in procurement\n     funds; and $0.24 billion in operation and maintenance funds) from 1996 through\n     2007. Eight of the DAs are independently funded through respective departments\n     or agencies. The ninth DA is funded directly by the JSIMS PM. The Army is the\n     single largest DA, with a projected budget of $627 million from 1996 through\n     2007.\n\nObjectives\n     The audit objective was to evaluate the financial and program management of the\n     JSIMS. We also reviewed management controls as they related to the audit\n     objectives. See Appendix A for a discussion of the audit scope and methodology,\n     the review of the management control program, and prior audit coverage.\n\n\n\n\n                                         3\n\x0c                    Program Performance, Cost,\n                    and Schedule\n                    The Joint Simulation System (JSIMS) Program Office has made\n                    significant progress toward complying with DoD security and acquisition\n                    policies. However, JSIMS may not receive security certification and\n                    accreditation in time for scheduled initial operating capability because\n                    not all information technology security requirements have been satisfied.\n                    In addition, the acquisition program baselines for JSIMS were not\n                    complete or accurate and may not be attainable because:\n\n                            \xe2\x80\xa2   the JSIMS Earned Value Management System has not provided\n                                management with adequate cost and schedule information;\n\n                            \xe2\x80\xa2   the JSIMS management has not constructed complete life-\n                                cycle cost estimates; and\n\n                            \xe2\x80\xa2   there were validated and emerging system requirements for\n                                which funding had not been established.\n\n                    As a result, there were no assurances that JSIMS would provide the level\n                    of information technology security required by initial operating capability\n                    or that the Milestone Decision Authority would be able to make informed\n                    investment decisions concerning the JSIMS acquisition.\n\nMandatory Guidance\n           The Office of Management and Budget and DoD provide managers with guidance\n           for acquiring information technology investments and safeguarding information.\n           Appendix C describes the guidance as it relates to the JSIMS acquisition.\n\n           Acquisition Category ID Compliance. On December 16, 1999, the Under\n           Secretary of Defense for Acquisition, Technology, and Logistics issued a\n           memorandum designating JSIMS as an Acquisition Category ID program. An\n           Acquisition Category ID program is a Major Defense Acquisition Program subject\n           to review by the Defense Acquisition Board. DoD Instruction 5000.2, \xe2\x80\x9cOperation\n           of the Defense Acquisition System,\xe2\x80\x9d Change 1, January 4, 2001, outlines the\n           documents required for Acquisition Category ID programs. When the audit began\n           in September 2000, required Acquisition Category ID program documents such as\n           the acquisition strategy, the test and evaluation management plan, and the risk\n           management plan did not exist. Further, the JSIMS program was not in\n           compliance with the information technology acquisition requirements of the\n           Clinger-Cohen Act, that requires economic analysis, performance measures,\n           business process reengineering, and an information assurance strategy.\n           Specifically, the JSIMS PM had no documentation regarding JSIMS compliance\n           with the Clinger-Cohen Act.4 During the course of the audit, the new JSIMS\n\n4\n    The Clinger-Cohen Act governs the acquisition of information technology, which requires Chief\n    Information Officer monitoring of system acquisition and the establishment of performance measures\n                                                     4\n\x0c           management team worked diligently to generate the documents needed to comply\n           with DoD policy and congressional direction. Although some of those documents\n           were not finalized, the JSIMS PM has made every effort to adhere to DoD policy,\n           and he is making significant progress towards attaining compliance, thereby\n           reducing our concerns in those areas. However, JSIMS and its Common\n           Component Workstation will have a difficult time obtaining system security\n           certification and accreditation. Further, several factors may impact the\n           attainability of JSIMS cost and schedule objectives.\n\nJSIMS Information Technology Security Certification and\n  Accreditation\n           Prior to March 2000, the JSIMS Program Office did not take action to comply\n           with DoD Instruction 5200.40, \xe2\x80\x9cDoD Information Technology Security\n           Certification and Accreditation Process,\xe2\x80\x9d December 30, 1997 or with the DS-\n           2610-142-01, \xe2\x80\x9cDoD Intelligence Information System Security (DoDIIS)\n           Certification and Accreditation Guide,\xe2\x80\x9d April 2001. Since that time, the JSIMS\n           PM has made significant progress towards complying with those requirements;\n           however, a considerable amount of work remains to attain system security\n           certification5 and accreditation6 for JSIMS and its Common Component\n           Workstation. Additional obstacles that need to be overcome include the approval\n           of the System Security Authorization Agreement.\n\n           Security Certification and Accreditation of JSIMS. The JSIMS may not\n           attain security certification and accreditation for Version Release Module 1,\n           scheduled for March 2002; Milestone C, Production and Deployment, scheduled\n           for September 2002; or for initial operating capability currently scheduled for\n           March 2003. JSIMS interacts within a complex environment, including the\n           Intelligence Community, which heightens concern over system security.\n           Intelligence Community personnel identified the following concerns that\n           increase the risk associated with JSIMS security:\n\n                    \xe2\x80\xa2   lack of a completed system security procedures manual;\n\n                    \xe2\x80\xa2   prior involvement of foreign nationals in JSIMS software\n                        development, especially in the Common Component Workstation and\n                        the Synthetic Natural Environment;\n\n                    \xe2\x80\xa2   lack of a breakdown of specific responsibility for JSIMS system\n                        security;\n\n    regarding progress towards meeting program objectives.\n5\n    Security certification is a comprehensive evaluation of the technical and non-technical security features\n    of an information technology system and other safeguards, made in support of the accreditation process,\n    to establish the extent that a particular design and implementation meets a set of specified security\n    requirements.\n6\n    Accreditation is a formal declaration by the Designated Approving Authority that an information\n    technology system is approved to operate in a particular security mode using a prescribed set of\n    safeguards at an acceptable level of risk.\n\n                                                       5\n\x0c       \xe2\x80\xa2   lack of a developed set of rules for the dissemination of secret\n           collateral intelligence across the run time interface; and\n\n       \xe2\x80\xa2   lack of a full understanding of how different software systems\n           developed by different contractors and DAs interact.\n\nThe decentralized management of JSIMS, and the perception by the JSIMS PM\nand DAs that JSIMS is just a training system, resulted in security receiving\nminimum attention prior to the December 1999 reorganization directed by the\nUnder Secretary of Defense for Acquisition, Technology, and Logistics.\nBeginning in March 2000, the JSIMS PM made system security certification and\naccreditation a major priority. However, JSIMS will have a difficult time\nachieving certification and accreditation by March 2003.\n\nSystem Security Authorization Agreement Criteria. The purpose of the System\nSecurity Authorization Agreement, required by DoD Instruction 5200.40, is to\naddress each of the security items detailed in the Security Requirements\nTraceability Matrix. The DS-2610-142-01 DoDIIS Security Guide also contains\nsuch requirements. Therefore, the agreement should contain all the information\nnecessary for the collateral Designated Approving Authority, the sensitive\ncompartmented information Designated Approving Authority, and ultimately, the\nsystem Designated Approving Authority to make a decision regarding the\napproval to operate the system. It is a formal agreement between the system PM,\nthe Designated Approving Authority community, certification authorities, and\nuser representatives. The agreement is used throughout the certification process\nto guide actions, document decisions, specify information technology security\nrequirements, document certification tailoring and level-of-effort, identify\npotential solutions, and maintain operational system security.\n\nSystem Security Authorization Agreement Developed for JSIMS. The\nJSIMS PM has made enormous progress in developing the System Security\nAuthorization Agreement since our initial visit. However, the System Security\nAuthorization Agreement was not complete enough to obtain accreditation and\ncertification and did not satisfy the minimal requirements of DoD Instruction\n5200.40 or the DS-2610-142-01 DoDIIS Security Guide. The System Security\nAuthorization Agreement, prepared by the JSIMS Program Office using the\nDS-2610-142-01 DoDIIS Security Guide, did not include the following topics,\ncompleted in a manner acceptable to the Designated Approving Authority, as\nrequired for system accreditation:\n\n       \xe2\x80\xa2   data flow (including data flow diagrams),\n       \xe2\x80\xa2   security environment,\n       \xe2\x80\xa2   IT system characteristics,\n       \xe2\x80\xa2   roles and responsibilities, and\n       \xe2\x80\xa2   personnel and technical security controls.\n\nWe informed the Designated Approving Authority of the incomplete sections of\nthe JSIMS System Security Authorization Agreement and he agreed that the\ninformation associated with those sections is needed for system certification and\naccreditation. Because JSIMS has a decentralized management structure, eight of\nthe nine DAs act independently and provide their own funding. If the required\n\n                                    6\n\x0c       sections or acceptable alternatives are not adequately documented in the System\n       Security Authorization Agreement, the DAs may not have a clear definition of\n       what they are expected to do to ensure the success of JSIMS.\n\n       Certification and Accreditation Approval for the Common Component\n       Workstation. The JSIMS Common Component Workstation software will\n       operate in two security domains. One is an upper security enclave that processes\n       top secret and sensitive compartmented information, and the other is a lower\n       security enclave that processes data at the secret level and lower. Early in the\n       JSIMS development stage, the JSIMS PM did not design security measures into\n       JSIMS and the PM did little to address security until March 2000. The Common\n       Component Workstation software was not constructed in a trusted environment7\n       because the PM for the Warfighting Simulation System, tasked with developing\n       the Common Component Workstation, did not provide proper instructions to the\n       contractor. Further, the System Security Authorization Agreement does not\n       include the information necessary for the JSIMS Common Component\n       Workstation software development to meet certification and accreditation\n       requirements. The JSIMS PM will have difficulty addressing those security issues\n       prior to the established initial operating capability date.\n\n       The National Reconnaissance Office is developing a user interface tool that will\n       allow secure operations if the Common Component Workstation does not receive\n       accreditation. It is coordinating the development with the Warfighters\xe2\x80\x99 Simulation\n       Intelligence Module and the Defense Intelligence Agency Object Oriented Model\n       of Intelligence Operations. Personnel within the National Reconnaissance Office\n       stated that they developed the user interface tool because they have no confidence\n       that the Common Component Workstation will be certified by Version Release\n       Module 1.\n\nCost and Schedule\n       Several factors may negatively impact the JSIMS cost and schedule. We\n       determined that the JSIMS Earned Value Management System does not provide\n       management with adequate cost and schedule information. Also, the JSIMS\n       Program Office has not constructed complete life-cycle cost estimates and has not\n       included additional security requirements and emerging requirements in the life-\n       cycle cost estimates or budgets. Further, the Army Threat System Management\n       Office has not completed a JSIMS System Threat Assessment Report.\n\n       Earned Value Management System. DoD Regulation 5000.2-R (Interim),\n       \xe2\x80\x9cMandatory Procedures for Major Defense Acquisition Programs (MDAPs) and\n       Major Automated Information Systems (MAIS) Acquisition Programs,\xe2\x80\x9d\n\n\n\n\n7\nA trusted environment is an environment where software is constructed by U.S. personnel who are\ncleared to the secret level and who work in a facility cleared for secret information.\n\n                                                7\n\x0cJanuary 4, 2001, (finalized on June 10, 2001) states that the PM will obtain\nintegrated cost and schedule performance data to monitor program execution.\nPMs must require contractors to develop and use internal management control\nsystems that:\n\n       \xe2\x80\xa2   produce data indicating work progress,\n       \xe2\x80\xa2   properly relate cost,\n       \xe2\x80\xa2   identify schedule and technical accomplishment,\n       \xe2\x80\xa2   are valid, timely and auditable, and\n       \xe2\x80\xa2   provide DoD PMs with summarized information.\n\nData will be compiled and reported in accordance with the Earned Value\nManagement System, unless the contract is valued at less than $73 million, in\nwhich case the data may be compiled in alternative ways. In response to this\nrequirement, the JSIMS PM instituted an earned value reporting system that\nrequired each DA to provide earned value information to the JSIMS PM on a\nmonthly basis.\n\nThe JSIMS PM compiles the data from the various DAs into a central, monthly\nearned value report that is intended to provide the JSIMS PM with information\nthat indicates whether the program is meeting cost and schedule goals. However,\nthe earned value data compiled by the JSIMS PM are incomplete and unreliable.\nThe most current earned value report as of March 2001 was produced in January\n2001. The January report included outdated data for the National Reconnaissance\nOffice and the United States Marine Corps portions of JSIMS. Although the\nDefense Intelligence Agency provided data for its portion of JSIMS for December\n2000 and January 2001, it did not provide data prior to that period. Also,\nalthough the reports appear to show that the National Security Agency portion of\nJSIMS is both on schedule and on target for cost, National Security Agency\npersonnel advised their Earned Value Management System for this contract was\nnot based on planned work. This contract was rebaselined in April 2001 and the\ncontract will begin reporting actual performance indices. Personnel from the Air\nForce stated that the current prime development contract for their portion of\nJSIMS does not require the contractor to provide earned value information.\nHowever, the contractor has been providing the earned value information to the\nPM. The Air Force data indicate that the Air Force portion of JSIMS is about 2\npercent behind schedule and 1 percent under cost. The Air Force stated that a\nplanned rebaselining of the contract will ensure that the appropriate Earned Value\nManagement System requirements are stated.\n\nAs of January 2001, the Navy portion of JSIMS reported 7.6 percent behind\nschedule. The Army portion of JSIMS reported 3.7 percent behind schedule and\n3.8 percent over cost. The earned value documents imply that in order for the\nArmy portion to meet the delivery date for Version Release Module 1.0 (March\n2002), some requirements originally intended to be satisfied with Version Release\nModule 1.0 will be deferred to later versions of JSIMS. A more detailed review\nof the variances associated with specific aspects of the Army portion of JSIMS\nrevealed that the software development was actually $4.8 million (14 percent)\nover the projected cost. The JSIMS PM noted that the Army has met its delivery\ndates for JSIMS integration events including planned delivery of source lines of\ncode and associated functions. The insufficient earned value reports, coupled with\nthe Army and Navy negative schedule variances, provided no assurance that the\n                                     8\n\x0cJSIMS program would be delivered on time for scheduled initial operating\ncapability and within budget. Furthermore, because of the incomplete nature of\nthe earned value reports, the JSIMS PM could be caught unaware of cost and\nschedule variances that might materially impact JSIMS.\n\nAlso, the various DA earned value reports reflect the schedule status based on\ninternal DA schedules and not the overall JSIMS schedule. Earned value reports\nhave no notation as to how the particular DA schedule relates to the overall\nJSIMS schedule. Therefore, although an earned value report may indicate that a\nparticular DA portion of JSIMS is behind schedule, it does not necessarily mean\nthat the overall JSIMS schedule is impacted. The JSIMS PM stated that the DA\nreports should note how a variance effects the overall JSIMS integration events.\nHowever, the reviewed reports contained no documentation to indicate how the\nintegration events were impacted. Although the JSIMS PM expressed confidence\nthat JSIMS will be delivered on time and within budget, the Earned Value\nManagement System for JSIMS provides no such assurance.\n\nLife-Cycle Costs. DoD Regulation 5000.2-R (Interim) requires, for reporting\npurposes, the PM life-cycle cost estimate as defined in DoD 5000.4-M, \xe2\x80\x9cCost\nAnalysis Guidance and Procedures,\xe2\x80\x9d December 1992. DoD Regulation 5000.2-R\n(Interim) also requires that every acquisition program establish program goals,\nthresholds, and objectives for the minimum number of cost, schedule, and\nperformance parameters that describe the program over its life cycle. DoD\nRegulation 5000.2-R (Interim) defines affordability as \xe2\x80\x9cthe degree to which the\nlife-cycle cost of an acquisition program is in consonance with the long-range\ninvestment and force structure plans of the DoD or individual DoD Component.\xe2\x80\x9d\nThe PM is required to prepare a life-cycle cost estimate for all Acquisition\nCategory I program initiation decisions and at all subsequent program decision\npoints.\n\nDoD Regulation 5000.2-R (Interim) also requires that the estimating activity\nexplicitly base the life-cycle cost estimate on program objectives, operational\nrequirements, contract specifications, careful risk assessments, and a DoD\nprogram work breakdown structure for Acquisition Category I programs. The\nlife-cycle cost estimate must be comprehensive to include all cost elements, such\nas operation and support costs, that affect the decision to proceed with\ndevelopment or production of the system, regardless of funding source or\nmanagement control. In addition, DoD Regulation 5000.2-R (Interim) requires\nthe PM to base software systems design and development on systems\nengineering principles that:\n\n       \xe2\x80\xa2   elect the programming language in context of the systems and software\n           engineering factors that influence overall life-cycle costs, risks, and the\n           potential for interoperability; and\n\n       \xe2\x80\xa2   consider embedded training and maintenance techniques to enhance\n           user capability and reduce life-cycle costs.\n\nThe JSIMS PM and the DAs are constructing life-cycle cost estimates scheduled\nfor completion during the summer of 2001. The JSIMS PM and the DAs did not\n\n\n                                     9\n\x0c   have life-cycle cost estimates that identified complete JSIMS costs. The JSIMS\n   PM and the DAs did not construct cost estimates beyond FY 2007, even though\n   the system has an estimated life through 2022.\n\n   Unfunded Requirements. Certain security requirements and validated and\n   emerging program requirements, not accounted for in the JSIMS budget, need to\n   be included in JSIMS life-cycle cost estimates. During the audit, three of the DAs\n   expressed concerns about unfunded requirements for their portion of the JSIMS\n   development. The Defense Intelligence Agency had the most significant unfunded\n   requirement for an additional $35.5 million from FY 2002 through FY 2007, that\n   is needed to provide the complete minimum essential functionality approved by\n   the JSIMS Joint Requirements Control Board. The unfunded requirement\n   included increased automation of organizational behavior and analysis fusion,\n   support for dissemination of imagery and video products, and several other\n   capabilities that would result in a reduction in intelligence personnel needed to\n   support exercises. The JSIMS PM denied that this is an unfunded requirement;\n   however, DIA recorded it as such.\n\n   Managers for the Army portion of JSIMS claimed that an additional $11.0 million\n   was needed between FY 2001 and FY 2007, including $4.4 million for additional\n   software development. A component of the Air Force portion of the JSIMS\n   required an additional $1.5 million from FY 2002 through FY 2006. The Air\n   Force recognized that functionality was otherwise jeopardized, and it\n   acknowledged the shortfall and intends to provide the needed funds. Managers\n   for the Navy portion of JSIMS described their funding as uncertain because of\n   emerging requirements. Navy personnel were unable to calculate the amount of\n   funding that will potentially be needed to satisfy its emerging requirements if\n   validated. The JSIMS PM believed there were no unfunded requirements because\n   the JSIMS PM used cost as an independent variable. The JSIMS PM would\n   complete as many requirements in the Operational Requirements Document as\n   funding permits.\n\n   System Threat Assessment Report. As of April 2001, a JSIMS System Threat\n   Assessment Report has not been completed. A System Threat Assessment Report\n   describes the threat that a particular system is projected to encounter during its\n   service life. The JSIMS System Threat Assessment Report is being developed by\n   the Threat System Management Office in Huntsville, Alabama, and it is scheduled\n   to be completed between June 2001 and September 2001. Once completed, the\n   threat assessment report has to be validated by the Defense Intelligence Agency.\n   Because this document was not developed prior to the JSIMS development effort,\n   it is possible that JSIMS may not have addressed key projected system threats. If\n   validated threats are identified that JSIMS needs to be protected against, additional\n   costs and delays may be incurred.\n\nSummary\n   Historically, JSIMS has had problems that have resulted in schedule delays and\n   increased costs. The new JSIMS management team has made significant progress\n   toward correcting various identified problems. Although the JSIMS PM has made\n   extensive inroads to address system security certification and accreditation issues,\n   JSIMS and the Common Component Workstation will have a difficult time\n                                       10\n\x0c    obtaining system security certification and accreditation prior to initial operating\n    capability. The JSIMS PM needs to initiate action to create a trusted environment\n    for development of a Common Component Workstation. The JSIMS PM also\n    needs to complete all minimally required sections in the System Security\n    Authorization Agreement. Finally, the lack of a reliable Earned Value\n    Management System coupled with potential unfunded requirements, leave the\n    JSIMS Program continually vulnerable to additional negative cost and schedule\n    impacts and reduced system capabilities. As a result, there are no assurances that\n    JSIMS will provide the level of information technology security required by initial\n    operating capability or that the Milestone Decision Authority will be able to make\n    informed investment decisions on the JSIMS acquisition.\n\nManagement Comments on the Finding and Audit Response\n    Program Office, Joint Simulation System Comments. The JSIMS PM stated\n    that he generally found many of the audit comments to be accurate, and he\n    indicated that the JSIMS Program Office would continue to pursue solutions to\n    resolve the problems noted. However, management disagreed with certain\n    specific aspects of the Finding. Management agreed that the Earned Value\n    Management System has been problematic, but did not agree that there was no\n    assurance that the system would be delivered on time and within budget. The\n    PM indicated that other metrics were used in addition to the Earned Value\n    Management System, to determine whether costs and schedules were on track,\n    including reviews of planned/delivered source lines of code and\n    planned/delivered functionality for each integration event. The PM also stated\n    that there were no unfunded requirements associated with JSIMS. Further, the\n    PM did not agree that JSIMS may not receive security accreditation in time for\n    initial operating capability. He stated that there was no obstacle to provide all\n    security documentation prior to system fielding and that there were no known\n    security requirements that were not funded. See the Management Comments\n    section of the report for a complete text of the management comments.\n\n    Audit Response. We still maintain that there is no assurance that JSIMS will\n    meet cost and schedule goals for initial operating capability and that not all\n    requirements are documented and funded. Despite the use of a variety of\n    metrics, the JSIMS PM is required to institute an accurate and complete Earned\n    Value Management System. Also, based on recent consultation with the\n    Designated Approving Authority, it will be difficult for JSIMS to obtain security\n    certification and accreditation prior to initial operating capability. Even though\n    the JSIMS security personnel have made great strides in identifying security\n    requirements both during the audit and since the completion of our audit field\n    work, significant work still remains to satisfy those requirements. In some\n    cases, the JSIMS PM disagreed with details in the audit report, not because the\n    details were inaccurate, but because corrective actions had been initiated or\n    completed since the end of our audit field work. We believe that our report was\n    accurate at the time the field work was completed, and we credit the JSIMS PM\n    for initiating prompt corrective action.\n\n\n\n\n                                        11\n\x0cRecommendations, Management Comments and Audit\n  Response\n    In response to management comments on the draft of this report,\n    Recommendation 1. was revised to reflect adherence to DS-2610-142-01, \xe2\x80\x9cDoD\n    Intelligence Information System Security Certification and Accreditation\n    Guide,\xe2\x80\x9d April 2001 rather than DoD Instruction 5200.40, \xe2\x80\x9cDoD Information\n    Technology Security Certification and Accreditation Process,\xe2\x80\x9d December 30,\n    1997.\n\n           1. We recommend the Joint Simulation System Program Manager in\n    accordance with DS-2610-142-01, \xe2\x80\x9cDoD Intelligence Information System\n    Security Certification and Accreditation Guide,\xe2\x80\x9d April 2001:\n\n                a. Develop an overall security policy, including a security\n    procedures manual, and system security requirements;\n\n                   b. Include all sections required by DS-2610-142-01 \xe2\x80\x9cDoD\n    Intelligence Information System Security Certification and Accreditation\n    Guide,\xe2\x80\x9d April 2001 in the System Security Authorization Agreement; and\n\n              c. Create a secure trusted environment for developing the\n    Common Component Workstation;\n\n           2. We recommend the Joint Simulation System Program Manager\n    in accordance with DoD Regulation 5000.2-R (Interim) \xe2\x80\x9cMandatory\n    Procedures for Major Defense Acquisition Programs (MDAPS) and Major\n    Automated Information Systems (MAIS) Acquisitions Programs,\xe2\x80\x9d January\n    4, 2001:\n\n                 a. Require Development Agents to provide complete earned\n    value information; and\n\n                 b. Construct complete life-cycle cost estimates and include\n    requirements for which funding has not been established.\n\n    Program Office, Joint Simulation System Comments. The Program Manager\n    stated that the Joint Simulation System security policy has been published and\n    that the system security procedures manual and security standard operating\n    procedures are being written. These actions were initiated in accordance with\n    DS-2610-142-01, \xe2\x80\x9cDoD Intelligence Information System Security Certification\n    and Accreditation Guide,\xe2\x80\x9d April 2001 rather than DoD Instruction 5200.40,\n    \xe2\x80\x9cDoD Information Technology Security Certification and Accreditation\n    Process,\xe2\x80\x9d December 30, 1997, recommended in the draft report. Funding has\n    been requested to create a secure trusted environment for the development of the\n    Common Component Workstation and corrective actions are ongoing to\n    implement the recommendations addressing the Earned Value Management\n    System and life-cycle cost estimates.\n\n    Audit Response. We considered management comments to be responsive.\n                                       12\n\x0cAppendix A. Audit Process\n\nScope\n    We performed this audit in response to a request from the Director, Joint Staff, to\n    evaluate the management of the Joint Simulation System. This is the second audit\n    report on the management of the Joint Simulation System. The first report\n    addressed specific management concerns raised by the Director, Joint Staff. This\n    report addresses the broader topic of overall financial and program management\n    of the development and acquisition of the Joint Simulation System.\n\n    We examined program management of JSIMS from September 2000 through\n    April 2001 and reviewed documentation dated from November 1996 through\n    April 2001. We visited the JSIMS PM and each of the nine DAs. We reviewed\n    and analyzed memorandums, modifications to contracts, military\n    interdepartmental purchase requests, accounting reports, correspondence,\n    schedules, briefing charts, and operational and security documents.\n\n    General Accounting Office High-Risk Area. The General Accounting Office\n    has identified several high-risk areas in the DoD. This report provides coverage\n    of the Defense Information Management and Technology high-risk area.\n\nMethodology\n    Audit Type, Dates, and Standards. We performed this program audit from\n    September 2000 through April 2001 in accordance generally accepted Government\n    auditing standards except that we were unable to obtain an opinion on our system\n    of quality control. The most recent external quality control review was\n    withdrawn on March 15, 2001, and we will undergo a new review. Accordingly,\n    we included tests of management controls, as considered necessary.\n\n    Use of Computer-Process Data. We did not rely on computer-processed data to\n    perform this audit.\n\n    Contacts During the Audit. We visited or contacted individuals and\n    organizations within the DoD and Defense contractors. Further details are\n    available on request.\n\nManagement Control Program Review\n    DoD Directive 5010.38, \xe2\x80\x9cManagement Control (MC) Program\xe2\x80\x9d August 26, 1996,\n    and DoD Instruction 5010.40, \xe2\x80\x9cManagement Control (MC) Program Procedures,\xe2\x80\x9d\n    August 28, 1996, require DoD organizations to implement a comprehensive\n    system of management controls that provides reasonable assurance that programs\n    are operating as intended and to evaluate the adequacy of those controls.\n\n\n                                       13\n\x0c    Scope of the Review of the Management Control Program. For the JSIMS\n    Program, we reviewed the plan for Internal Management and Control of Funds\n    and management self-evaluation. Management\xe2\x80\x99s self-evaluation had uncovered\n    weaknesses prior to our audit, and management had taken corrective action.\n\n    Adequacy of Management controls. We identified material management\n    control weaknesses as defined in DoD Instruction 5010.40. System security\n    controls were incomplete. The earned value management system controls were\n    unreliable, and acquisition program baselines designed to assure that cost and\n    schedule goals are met were unsatisfactory. Management actions taken during\n    the course of the audit such as development of a Risk Management Plan\n    combined with implementation of this report\xe2\x80\x99s recommendations will correct the\n    weaknesses. We will provide a copy of this report to the senior official\n    responsible for management controls in the office of the Under Secretary of\n    Defense for Acquisition, Technology, and Logistics.\n\nPrior Coverage\n    Inspector General, DoD\n    Inspector General, DoD, Report No. D-2001-089, \xe2\x80\x9cManagement Issues at the\n    Joint Simulation System Program Office,\xe2\x80\x9d March 30, 2001\n\n    Inspector General, DoD, Report No. 97-138, \xe2\x80\x9cRequirements Planning and the\n    Impact On Readiness of Training Simulators and Devices,\xe2\x80\x9d April 30, 1997\n\n\n\n\n                                      14\n\x0cAppendix B. Joint Simulation System\n            Development Agents\n       JSIMS will incorporate simulations across the full range of military operations.\n       Simulations will also include geophysical, meteorological, oceanographic, and\n       environmental factors. Those simulations will be provided by DAs from the\n       Army, the Navy, the Air Force, and the Marine Corps for each warfare domain\n       (land, maritime, air/space, and amphibious operations). In addition, DAs from\n       the Intelligence Community (the Defense Intelligence Agency, the National\n       Reconnaissance Office, and the National Security Agency) will provide\n       intelligence related simulations. The DAs develop JSIMS software components,\n       field and deploy the system, and provide all required software support. The\n       integration of software is a collaborative activity in that it is led and managed by\n       the JSIMS PM but supported by each DA partner.\n\n\nArmy\n       The Army is developing the Warfighters\xe2\x80\x99 Simulation System, that includes the\n       Warfighters Simulation System Intelligence Module. The Warfighters\xe2\x80\x99 Simulation\n       System will replace the Corps Battle Simulation System, the Corps Battle\n       Simulation in Joint Training Confederation, the Combat Service Support Training\n       Simulation System, the Brigade/Battalion Battle Simulation System, and the\n       Tactical Simulation System. The system will provide simulation of the land\n       warfare battle elements for JSIMS and will receive battle elements from JSIMS in\n       areas such as joint and maritime operations, air and space, and intelligence.\n\n\nNavy\n       The Navy portion of JSIMS is known as Maritime. Maritime is a technical\n       effort that will provide validated battle elements that represent the maritime\n       domain and that support the development of specialized and unique interfaces\n       required for executing Navy and Marine Corps training evolutions. JSIMS will\n       be used to conduct in-port shipboard combat system team training and at-sea\n       exercises for training individual ship combat teams. Maritime is also being\n       developed to replace legacy Navy training systems to include the Research\n       Evaluation and Systems Analysis System and the Enhanced Naval Warfare\n       Gaming System, that are due to lose funding by FY 2002 and FY 2004\n       respectively.\n\n\nAir Force\n       The Air Force portion of JSIMS contains two components. The first component,\n       known as the National Air and Space Model, provides Air Force aerospace\n       simulation to JSIMS. Those simulations include battle elements such as aircraft\n       (both fixed wing and rotary wing), weapons, electronic jammers, and\n\n                                            15\n\x0c     generic satellite platforms. The system will provide missions, organizations,\n     and civil environment representations. The National Air and Space Model will\n     replace the Air Force Air Warfare Simulation training system.\n\n     The second Air Force JSIMS component is the Joint Operations Information\n     Simulation. The component will provide the JSIMS audience with models for\n     intelligence collection, intelligence reporting, and aspects of electronic warfare.\n     The simulation brings a comprehensive capability to perform intelligence\n     collection through air breathing sensors and can demonstrate electronic warfare\n     capabilities against radars, and tactical related applications to command, control,\n     communications, computer, and intelligence interfaces. The Joint Operations\n     Information Simulation will not replace any Air Force legacy systems.\n\n\nMarine Corps\n     The Marine Corps is not performing any JSIMS system development but is\n     providing requirements and funding to the Army and Navy DAs to leverage its\n     portion of JSIMS. The Marine Corps DA depends on the Army for land-based\n     operation simulations and the Navy for sea-based simulations for its model\n     development. JSIMS is a vital piece of training equipment to the Marine Corps\n     because it will replace the Marine Air-Ground Task Force Tactical Warfare\n     Simulation, the current Marine Corps training simulation program.\n\n\nDefense Intelligence Agency\n     The Defense Intelligence Agency Object Oriented Model of Intelligence\n     Operations will simulate the U.S. national intelligence cycle at joint task force,\n     theater, and national levels. The simulation will represent the intelligence cycle\n     systems, products, and processes performed or facilitated by the intelligence\n     components. The system will operate in both the collateral and sensitive\n     compartmented information enclaves of JSIMS and will provide intelligence\n     models. The Object Oriented Model of Intelligence Operations development\n     represents new national-level intelligence functionality that is not currently\n     represented within the current Joint Training Confederation. There is no\n     predecessor for this system.\n\n\nNational Reconnaissance Office\n     Developed by the National Reconnaissance Office, the National Simulation\n     Program is the imagery intelligence component of JSIMS. It is designed to\n     simulate the imagery intelligence cycle including collection management, resource\n     tasking, and delivery of a message traffic textual product to respond to the initial\n     tasking for Version Release Module 1.0. Messages will generally be at the\n     collateral level. Future models will include a synthetic image. The National\n     Imagery and Mapping Agency will be involved in the simulation process for\n     imagery analysis when National Simulation Program becomes operational. The\n     current comparable simulation system in use is the National Wargaming System\n     managed by the National Reconnaissance Office.\n                                         16\n\x0cNational Security Agency\n     The National Security Agency is providing JSIMS Joint Signals Intelligence\n     Simulation, that will provide simulations of signal intelligence capability to the\n     warfighting community. The simulation will portray national-level signals\n     intelligence collection, processing, analysis, and reporting functions to the\n     warfighter. The system will produce signal intelligence products for the JSIMS\n     training exercise in the same quantity and quality as a real operation. The\n     simulation will interact with the intelligence portions of the other DAs to provide\n     a comprehensive intelligence picture of the battlespace to the warfighter.\n\n\nJoint Development Agent\n     The Joint DA is building two main functions for JSIMS; the Common Component\n     Workstation and the joint models. The Common Component Workstation\n     provides most of the user interfaces for JSIMS. It implements functions such as\n     scenario generation, exercise control, unit control, and evaluation and reporting.\n     It does not implement the exercise planning, technical control, or information\n     system security control functions. The joint models will simulate command units\n     at the joint task force level. Joint models operate in one of the following modes:\n     role player without automation, role player with automation, or training audience.\n     The Joint DA is also responsible for deployment, logistics, and training for joint\n     locations. The Joint DA is not developing a system to replace a legacy system but\n     is creating a new concept of functionality.\n\n\nDefense Modeling and Simulation Office\n     The Defense Modeling and Simulation Office is the builder and advocate for High\n     Level Architecture (HLA) throughout DoD. HLA identifies major functional\n     elements, interfaces, and design rules pertaining as feasible to all DoD simulation\n     applications, and provides a common framework within which specific system\n     architectures can be defined. The Defense Modeling and Simulation Office is\n     responsible for providing the HLA and run time infrastructure as a key component\n     of the core of the JSIMS Program. The Defense Modeling and Simulation Office\n     is not providing or replacing any simulations.\n\n\n\n\n                                         17\n\x0cAppendix C. Acquisition Guidance\n    The Office of Management and Budget and DoD provide managers with guidance\n    for acquiring information technology investments and safeguarding information\n    assets.\n\nOffice of Management and Budget\n    Office of Management and Budget Circular No. A-130, \xe2\x80\x9cManagement of Federal\n    Information Resources,\xe2\x80\x9d November 30, 2000, implements numerous public laws\n    and other Office of Management and Budget guidance that address acquisition of\n    information technology investments and security of personal information. In\n    accordance with Cohen-Clinger Act of 1996, Circular A-130 requires that:\n\n           \xe2\x80\xa2   Cost benefit analyses be prepared for each system throughout its life\n               cycle.\n\n           \xe2\x80\xa2   Performance measures be implemented to provide timely information\n               regarding the progress of an information technology program in terms\n               of cost and capability to meet specified requirements, timeliness, and\n               quality.\n\n           \xe2\x80\xa2   Major information systems proceed in a timely fashion toward agreed-\n               upon milestones in an information system life cycle.\n\n           \xe2\x80\xa2   Chief information officers monitor and evaluate the performance of\n               information technology investments through the capital planning\n               investment control process, and advise the agency head on whether to\n               continue, modify, or terminate a program or project.\n\nDoD Guidance\n    DoD Directive 5000.1. DoD Directive 5000.1, \xe2\x80\x9cDefense Acquisition,\xe2\x80\x9d\n    March 15, 1996 (subsequently revised on October 23, 2000), establishes a\n    disciplined, life-cycle management approach for acquiring quality products. DoD\n    Directive 5000.1 provides mandatory policies and procedures for the management\n    of acquisition programs, including procedures to ensure program stability.\n\n    DoD Directive 5200.28. DoD Directive 5200.28, \xe2\x80\x9cSecurity Requirements for\n    Automated Information Systems (AISs),\xe2\x80\x9d March 21, 1988, provides mandatory\n    guidance for safeguarding classified information. It implements security\n    safeguard provisions of Office of Management and Budget Circular No. A-130,\n    and is a reference source for DoD Instruction 5200.40, \xe2\x80\x9cDoD Information\n    Technology Security Certification and Accreditation Process (DITSCAP),\xe2\x80\x9d\n    December 30, 1997.\n\n\n\n                                       18\n\x0cDoD Instruction 5000.2. DoD Instruction 5000.2, \xe2\x80\x9cOperation of the Defense\nAcquisition System,\xe2\x80\x9d Change 1, January 4, 2001, establishes a general approach\nfor managing system acquisitions with best life-cycle solutions for satisfying user\nrequirements. DoD Instruction 5000.2 requires chief information officers to\nconfirm that mission-critical and essential information systems are developed in\naccordance with the Clinger-Cohen Act of 1996 before approvals are granted for\ncontract award.\n\nDoD Regulation 5000.2-R. DoD Regulation 5000.2-R (Interim), \xe2\x80\x9cMandatory\nProcedures for Major Defense Acquisition Programs (MDAPs) and Major\nAutomated Information System (MAIS) Acquisition Programs,\xe2\x80\x9d January 4, 2001,\nestablishes life-cycle procedures and requires earned value management on\nsignificant contracts and subcontracts within all acquisition programs.\n\nDoD Instruction 5200.40. DoD Instruction 5200.40, \xe2\x80\x9cDoD Information\nTechnology Security Certification and Accreditation Process,\xe2\x80\x9d December 30,\n1997. DoD Instruction 5200.40 applies to the acquisition, operation, and\nsustainment of any DoD system that collects, stores, transmits, or processes\nunclassified or classified information. The Assistant Secretary of Defense for\nCommand, Control, Communications, and Intelligence oversees and reviews the\nimplementation of DoD Instruction 5200.40, which establishes a standard process,\nset of activities, general task descriptions, and a management structure to certify\nand accredit information technology systems that will maintain the security\nposture of the Defense Information Infrastructure. The key to DoD Instruction\n5200.40 is the agreement between the information technology system PM, the\nDesignated Approving Authority, the Certification Authority, and the user\nrepresentative. Those managers resolve critical schedule, budget, security,\nfunctionality, and performance issues. The agreement is documented in the\nSystem Security Authorization Agreement that is used to guide and document the\nresults of the certification and accreditation. The objective is to use the System\nSecurity Authorization Agreement to establish a binding agreement on the level of\nsecurity required before the system development begins or before changes to a\nsystem are made.\n\n\n\n\n                                    19\n\x0cAppendix D. Report Distribution\n\nOffice of the Secretary of Defense\nUnder Secretary of Defense for Acquisition, Technology, and Logistics\nUnder Secretary of Defense (Comptroller/Chief Financial Officer)\n  Deputy Chief Financial Officer\n  Deputy Comptroller (Program/Budget)\nAssistant Secretary of Defense (Command, Control, Communications, and Intelligence)\n  Director, Investment and Acquisition\n\nJoint Staff\nDirector, Joint Staff\n\nDepartment of the Army\nAuditor General, Department of the Army\nProgram Manager, Joint Simulation System\nProgram Manager, Warfighters Simulation 2000\n\nDepartment of the Navy\nNaval Inspector General\nAuditor General, Department of the Navy\nProgram Manager, Joint Simulation System Maritime\nProgram Manager, United States Marine Corps Development Agent\n\nDepartment of the Air Force\nAssistant Secretary of the Air Force (Financial Management and Comptroller)\nAuditor General, Department of the Air Force\nProgram Manager, National Air and Space Model\n\n\n\n\n                                         20\n\x0cOther Defense Organizations\nDirector, Joint Warfighting Center\nDirector, Defense Intelligence Agency\n   Inspector General, Defense Intelligence Agency\nInspector General, National Reconnaissance Office\nDirector, National Security Agency\n   Inspector General, National Security Agency\n\nNon-Defense Federal Organization\nOffice of Management and Budget, National Security Division\n\nCongressional Committees and Subcommittees, Chairman and\n  Ranking Minority Member\nSenate Committee on Appropriations\nSenate Subcommittee on Defense, Committee on Appropriations\nSenate Committee on Armed Services\nSenate Committee on Governmental Affairs\nSenate Select Committee on Intelligence\nHouse Committee on Appropriations\nHouse Subcommittee on Defense, Committee on Appropriations\nHouse Committee on Armed Services\nHouse Committee on Government Reform\nHouse Subcommittee on Government Efficiency, Financial Management, and\n  Intergovernmental Relations, Committee on Government Reform\nHouse Subcommittee on National Security, Veterans Affairs, and International\n  Relations, Committee on Government Reform\nHouse Subcommittee on Technology and Procurement Policy, Committee on\n  Government Reform\nHouse Permanent Select Committee on Intelligence\n\n\n\n\n                                         21\n\x0c\x0cProgram Office, Joint Simulation System\nComments\n                                          Final Report\n                                          Reference\n\n\n\n\n                     23\n\x0cFinal Report\n Reference\n\n\n\n\n               24\n\x0c     Final Report\n      Reference\n\n\n\n\n25\n\x0cFinal Report\n Reference\n\n\n\n\nPg 4\n\nPg 4\n\n\n\n\nPg 4\n\n\n\n\n               26\n\x0c      Final Report\n       Reference\n\n\n\n\n     Pg 4\n\n\n     Pg 4\n\n\n\n\n     Pg 4\n\n\n\n\n     Pg 5\n\n\n     Pg 5\n\n\n     Pg 5\n\n\n\n\n27\n\x0cFinal Report\n Reference\n\n\n\n\nPg 5\n\n\n\n\nPg 5\n\n\n\nPg 5\n\n\n\n\nPg 5\n\n\n\n\nRevised\nPg 5\n\n\n\n\n               28\n\x0c      Final Report\n       Reference\n\n\n\n\n     Pg 5\n\n\n\n\n29\n\x0cFinal Report\n Reference\n\n\n\n\nPg 6\n\n\n\n\nPg 6\n\n\n\n\nPg 6\n\n\n\n\n               30\n\x0c      Final Report\n       Reference\n\n\n\n\n     Revised\n     Pg 6\n\n\n\n\n31\n\x0cFinal Report\n Reference\n\n\n\n\nRevised\nPg 6\n\n\n\n\nPg 7\n\n\n\n\n               32\n\x0c      Final Report\n       Reference\n\n\n\n\n     Pg 7\n\n\n\n\n     Pg 7\n\n\n\n\n     Pg 7\n\n\n\n\n     Pg 7\n\n\n\n\n     Pg 7\n\n\n\n\n33\n\x0cFinal Report\n Reference\n\n\n\n\nPg 7\n\n\nPg 8\n\n\n\n\nPg 8\n\n\nPg 8\n\n\nRevised\nPg 8\n\n\n\n\nRevised\nPg 8\n\n\n\n\nPg 8\n\n\n\n\n               34\n\x0c      Final Report\n       Reference\n\n\n\n\n     Pg 9\n\n\n\n\n     Revised\n     Pg 9\n\n\n\n\n     Pg 9\n\n\n\n     Revised\n     Pg 10\n\n\n\n\n35\n\x0cFinal Report\n Reference\n\n\n\n\nPg 10\n\n\n\n\nPg 10\n\n\n\nPg 10\n\n\n\n\nPg 10\n\n\nPg 10\n\n\n\n\nRevised\nPg 12\n\n\n\n\n               36\n\x0c      Final Report\n       Reference\n\n\n\n\n     Pg 12\n\n\n\n\n     Pg 14\n\n\n\n     Pg 14\n\n\n\n     Pg 14\n\n\n\n\n37\n\x0cFinal Report\n Reference\n\n\n\n\nPg 14\n\n\nPg 14\n\n\n\nPg 14\n\n\n\n\n               38\n\x0cAudit Team Members\nThe Acquisition Management Directorate, Office of the Assistant Inspector General for\nAuditing, DoD, prepared this report. Personnel of the Office of the Inspector General,\nDoD, who contributed to the report are listed below.\n\nMary Ugone\nCharles Santoni\nSean Mitchell\nAverel Gregg\nJohn Mitton\nPatricia Joyner\nDavid Huff\nBridget Yakley\n\x0c'